Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Race is On To Notify Owners After Public List of IoT Device Credentials Published

A list of device IPs and credentials has gone viral since Thursday, kicking off an effort by researchers to notify the owners of these connected devices before they’re hacked.

Researchers are in a full-out sprint to notify the owners of a substantial list of connected devices and associated telnet credentials that has been available on Pastebin since June but gone viral since Thursday when it was posted on Twitter.

The list has more than 20,000 views as of Saturday morning, up substantially from fewer than 1,000 on Thursday.

The credentials, many of which are default and known (i.e., admin:admin, root:root, or no authentication required) afford anyone access to a multitude of routers and other devices. Similar devices been co-opted in the last nine months to carry out DDoS attacks against a number of high-value targets.

Victor Gevers, founder of the GDI Foundation, has analyzed the list and told Threatpost Friday afternoon that of the 33,000-plus IP addresses on the list, 1,775 were still reachable.

“The other ones were ‘filtered’ so the telnet service was not reachable anymore,” Gevers said, adding that he sent emails to the 1,775 reachable hosts warning them to change their credentials and/or close off telnet access. Most of the reachable IPs (61 percent), he said, were in China, and most of the remaining in the rest of Asia.

Many of the 33,000 IP addresses on the list are duplicates, some 10 times over, indicating either there are multiple accounts on the same IP, or they’ve already been abused over and over.

“They are starting to behave [badly] and end up on an IP-block list,” Gever said.

Some of the default credentials have been changed already, and Gevers said there are more than 8,200 unique hosts, and 2,174 still running open telnet services as of Friday.

The Pastebin was found by researcher Ankit Anubhav who made the data public for other researchers. The account has been viewed more than 36,000 times. The Pastebin also contains numerous other scripts, some with malicious-sounding names such as “Easy To Root Kit,” “Mirai Bots,” “Mirai-CrossCompiler,” “Apache Struts 2 RCE Auto-Exploiter v2),” “Slowloris DDoS Attack Script,” and many others referring to known and recent attacks or disclosures.

“This person who pasted the Pastbin has a collection of scripts that could have been used [maliciously],” Gevers said.

Gever said that as of Friday afternoon, he had 12 replies to his email notifications and a few direct messages on Twitter.

Infamously, a Mirai botnet was used to take down DNS provider Dyn, taking with it a handful of popular internet services. It was also used to DDoS French webhost OVH and security news site Krebs on Security.

That botnet was composed mostly of IP-enabled cameras and DVRs, the first time connected devices had been abused in such a public fashion, at the same time heralding a new age of awareness around the insecurity of these devices. Experts cautioned that this problem extends beyond security cameras and DVRs, and that IoT vulnerabilities can be leveraged against connected health care devices and critical infrastructure.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.